[Snort-users] threshold.conf limit not working for me

Russ Combs rcombs at ...1935...
Tue Apr 26 15:26:45 EDT 2011


* event_filter replaces the deprecated threshold keyword.

* gen_id 0, sig_id 0 does mean "all".

Are you seeing this in the start up output?

+-----------------------[event-filter-global]----------------------------------
| gen-id=global sig-id=global type=Limit     tracking=dst count=1
seconds=60

On Tue, Apr 26, 2011 at 3:01 PM, Agus <agus.262 at ...11827...> wrote:

> Exactly Waldo. it means all.
>
> Will try threshold. but the examples and README recommend event_filter..
>
> Will try and get back. Thanks guys
>
> 2011/4/26 Lay, James <james.lay at ...15009...>:
> > It's:
> >
> > threshold gen_id 0, sig_id 0 type limit, track by_dst, count 1, seconds
> > 60
> >
> > James
> >
> > -----Original Message-----
> > From: waldo kitty [mailto:wkitty42 at ...14940...]
> > Sent: Tuesday, April 26, 2011 12:54 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] threshold.conf limit not working for me
> >
> > On 4/26/2011 13:21, Agus wrote:
> >> Hi guys,
> >>
> >> Im running snort 2903 and added this line to threshold.conf
> >> event_filter gen_id 0, sig_id 0, type limit, track by_dst, count 1,
> >> seconds 60
> >
> > hunh? does a gen_id and sig_id of 0 mean "all"?
> >
> >> But when i start snort i see lots of this
> >>
> >> Apr 26 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
> >> inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> >> [Priority: 2]: {TCP} 10.10.x.131:58447 ->  10.10.x.21:1433 Apr 26
> >> 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
> >
> >> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> >> [Priority: 2]: {TCP} 10.10.x.100:53887 ->  10.10.x.21:1433 Apr 26
> >> 13:03:12 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
> >
> >> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> >> [Priority: 2]: {TCP} 10.10.x.131:58448 ->  10.10.x.21:1433 Apr 26
> >> 13:03:15 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
> >
> >> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> >> [Priority: 2]: {TCP} 10.10.x.114:64883 ->  10.10.x.21:1433 Apr 26
> >> 13:03:16 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
> >
> >> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> >> [Priority: 2]: {TCP} 10.10.x.131:58449 ->  10.10.x.21:1433
> >>
> >> Is there something im missing?
> >
> > shouldn't the line be gen_id 1, sig_id 2010935  ???
> >
> > ------------------------------------------------------------------------
> > ------
> > WhatsUp Gold - Download Free Network Management Software The most
> > intuitive, comprehensive, and cost-effective network management toolset
> > available today.  Delivers lowest initial acquisition cost and overall
> > TCO of any competing solution.
> > http://p.sf.net/sfu/whatsupgold-sd
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> ------------------------------------------------------------------------------
> > WhatsUp Gold - Download Free Network Management Software
> > The most intuitive, comprehensive, and cost-effective network
> > management toolset available today.  Delivers lowest initial
> > acquisition cost and overall TCO of any competing solution.
> > http://p.sf.net/sfu/whatsupgold-sd
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110426/b69ec131/attachment.html>


More information about the Snort-users mailing list